Case in Point: Cyber Vulnerability Management on Campus

Sept. 13, 2017
How network scanning as a service has paid dividends at Tulane University

There are 16,000 students, faculty and staff connecting to the Tulane University network multiple times every day. Each connection is made via multiple endpoints, including laptops, smartphones and other personal devices. Every connection and every device can potentially put sensitive data at risk, leaving the university vulnerable to a devastating breach.

With cybersecurity paramount, the New Orleans-based university uses Frontline Vulnerability Manager, a console supported by a cloud-based architecture from Digital Defense Inc., of San Antonio, Texas, secured through a local VAR, Secure Nation.

The product scans and identifies weaknesses within a network and prioritizes assets to ensure remediation efforts – thus reducing security risk as rapidly as possible. It opens up RMR and service opportunities for integrators, who can essentially offer “network scanning as a service.” The on-demand SaaS platform enables users to scan the entire network without having to maintain additional infrastructure.

“The importance of vulnerability assessment scanning cannot be overstated. The best cybersecurity posture is not threat incident detection and response, nor is it other threat mitigation techniques,” Frost & Sullivan Network Security Industry Analyst Christopher Kissel notes in his article, Leveraging Vulnerability Management for Enhanced Security. “The best threat response is prevention.”

Digital Defense acts as a security consultant for the integrator, providing the security management services portion of a contract to the customer. A flexible licensing model depends on the frequency of scanning that the customer requires. Neil Butchart, the company’s SVP of global sales says integrators stand to gain “significant margin” on the services provided to the customer.

How the Technology Works

Unlike tools previously used by the university that silo data and only enabled the scanning and analysis of five or six college departments or network segments per month, the technology helps identify trends and outliers through the analysis of aggregated data.

Tulane University’s Assistant Vice President of Information Security and Policy Officer Hunter Ely notes that higher education institutions have to walk a fine line between making sure the students, faculty and staff connecting to the university’s networks are kept safe and secure, while also being careful not to become the Internet police.

Mark Liggett, Tulane’s Senior Security Analyst, comprises Tulane’s one full-time equivalent in a security team of eight members. He says the cybersecurity product is suited to an array of users –many of whom may not be cybersecurity savvy – from incoming freshmen to absent-minded professors.

 “We never want to prevent people from accessing the data they need for projects and research,” Ely says. “Every time a student, faculty or staff member goes online, the university has to consider if our security policies and procedures are properly protecting them without blocking them from accessing useful information.”

A good example came when a cybersecurity scan discovered unprotected files. “They had files that should not be open to the public – either outsiders or others in the college,” Liggett says.

Once the situation was discovered, it took over a day to complete the security investigation. Liggett blocked the MAC address. Once the user was identified, Liggett had a tete-a-tete to explain compliance issues with the user. At that point, a worried user was assured that it was an easy fix without having to reinvent the wheel.

If Liggett had one concern about a cloud-based system, it was the amount of time and bandwidth it would take to scan a network serving 16,000 student, faculty and staff. In reality, a full scan – which Tulane performs two or three times annually – takes about 36 hours.

“I was a bit skeptical about bandwidth pressure,” Liggett says. While Tulane is part of the Louisiana Optical Network Initiative (LONI) and has high bandwidth to the Internet and fiber networks to all of its campus networks, he was still a bit concerned about how much pressure a 36-hour, full network scan would put on bandwidth. “That has not been the case,” he says.

Underpinned by cutting-edge technology, Frontline VM identifies weaknesses within Tulane’s Windows and UNIX networks and prioritizes assets to ensure remediation efforts reduce security risk as rapidly as possible. In addition, Liggett likes the post-scan notification feature that enables other stakeholders to be notified about the results of a scan and open a dialog about any issues. Role-based reports present relevant data to the users, executive leadership and auditors.

After three or four scans, Liggett caught on to the nuances of the system. “It is pretty intuitive,” he says. “We were functioning at 90 percent as soon as we set it up.”

Leveraging MSPs

With the continued movement towards security outsourcing due to rapidly evolving technology, increasingly motivated and effective attackers, and a security labor shortage, managed security service providers are expected to help end-customers find, understand and close critical vulnerabilities.

Butchart says Digital Defense’s sweet spot is working as trusted advisors to the small-to-midsize VAR who has five to 50 employees that focus on a security-centric client base. The cloud-based system eliminates ongoing capital expenditures and frees both integrators and users like Liggett from concerns about technology obsolescence and the burden of performing software and hardware updates.

Butchart says they are open to working with dealers who have experience with competitive technology or with their own offering. “There is a good opportunity to make significant margin on the services to the customer,” Butchart says. “We provide a service that the customer cannot do themselves.”

“Our dealers are not competing against a lot of other VARs in the same area,” Butchart says. “That drives down margins.”

Curt Harler is a freelance writer. Learn more at www.curtharler.com.  

About the Author

Curt Harler | Curt Harler

Curt Harler is a freelance writer specializing in technology, security and telecommunications. He can be reached at [email protected].